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DESCRIPTION 

IMPROVED REDUCTION CALCULATIONS 

The present invention relates to a method of performing a reduction 
operation and to apparatus for performing a reduction operation. 

Elliptic Curve Cryptography (ECC) involves the use of calculations on 
an elliptic curve relationship over GF(p) and requires the multiplication of long 
integers which are carried out repeatedly during the implementation of, for 
example, public key algorithms in cryptographic processors. 

Typically, the multiplication operations must be carried out many 
hundreds of times to complete an encryption or decryption operation, and so it 
is important that the cryptographic devices that perform these operations 
execute the long multiplications quickly using a high speed multiplier. 

Increasingly, such cryptographic algorithms are used in electronic 
devices for example smart cards, and in these applications processing 
capability and power consumption is severely limited. 

One conventional calculation method is the Quisquater system which 
operates on the Most Significant Word using the operation 

R'=R+(-N'*MSW). 

where N' is a special multiple of N. In fact, -N' is used in its 2's 
complement notation. 

The reduction operation is inefficient, and the result may be too large, 
necessitating the addition of (-N') to R\ 

Another, conventional calculation method is the Mongomery system 
which operates on the Least Significant Word using the operation 

R'=R+N1Q 

where Q = LSW*M mod 2n. 

Again the reduction operation is inefficient and might be one bit too 
large requiring restoration by subtraction of N. 

It is therefore an object of the present invention to provide a more 
efficient reduction operation. 
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It is also an object of the present Invention to provide a reduction 
operation with a lower number of multiplication operations. 

It is also an object of the present invention to provide a reduction 
operation which provides fewer overflows in the calculation operations. 

It is also an object of the present Invention to provide a reduction 
operation in which the reduction operation is completed faster. 

According to one aspect, the present invention provides a method of 
perfonning a reduction operation in a cryptographic calculation, the method 
comprising selecting a modulus having a first section with a plurality of "1" 
Most Significant Word states and a second section which comprises a plurality 
of "1" or "0" states whereby the number formed of the two sections is a 
modulus or a multiple of a modulus, and operating a reduction operation on the 
modulus/multiple. 

By this selection of a particular form of a modulus/multiple for use in the 
calculation, the reduction operation involves fewer multiplication operations. 

Thus a significant benefit provided by the present invention is that the 
time taken to complete the entire calculating operation is reduced. 

Moreover, the degree of security afforded by the method of the present 
invention is maintained as compared to conventional cryptographic methods. 

Preferably the method comprises monitoring the number of leading "Vs 
to detennine if the number is less than (k-2). Advantageously, when the 
number of leading "rs is less than (k-2), the next calculation is initiated. 

Thus a ifurther advantage of the present invention is that a number of 
multiplication operations can be processed simultaneously, thereby reducing 
the time taken to complete calculating operations. 

In one embodiment of the present invention for 192-bit ECC and a word 
size for 64-bit, the modulus comprises a first section of 138 bits and a second 
section of 54 bits. 

In another embodiment of the present invention for 128-bit ECC and a 
word size of 64-bit, the modulus comprises a first section of 74 bits and a 
second section of 64 bits. 
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In another embodiment of the present invention for 256-bit ECC and a 
word size of 64-bit, the modulus comprises a first section of 202 bits and 
second section of 54 bits. 

The invention can also work with a number of moduli, which have less 
significant bits than a multiple of the word size. In that case, the system works 
with a multiple of the modulus, which has the required number of leading Vs. 
Only at the very last end, the result has to be reduced to the original (smaller) 
modulus. 

. In one preferred arrangement, the method of the present invention 
utilises modulus, consisting of m words with all the words except the Least 
Significant Word (LSW) consisting of "1"s and the LSW has, for example, ten 
leading "1"s can be any number but bearing in mind the larger it is, then the 
less often an additional reduction is required. 

According to another aspect, the present invention provides a computer 
program product directly loadable into the internal memory of a digital 
computer, comprising software code portions for performing the method of the 
present invention when said product is run on a computer. 

According to another aspect, the present invention provides a computer 
program directly loadable into the internal memory of a digital computer, 
comprising software code portions for performing the method of the present 
invention when said program is run on a computer 

According to another aspect, the present invention provides a carrier, 
which may comprise electronic signals, for a computer program embodying the 
present invention. 

According to another aspect, the present invention provides electronic 
distribution of a computer program product, or a computer program, or a 
carrier of the present invention. 

According to another aspect, the present Invention provides appairatus 
for performing a reduction operation in a cryptographic calculation, the 
apparatus comprising means to select a modulus or a multiple of a modulus 
having a first section with a plurality of "1" states and a second section having 
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a plurality of "1" or "0" states whereby the number formed of the two sections is 
a modulus or a multiple of a modulus. 

In order that the present invention may more readily be understood, a 
description is flow given, by way of example only, reference being made to the 
accompanying drawings, in which:- 

Figure 1 is an application of the present invention in a smart card; 

Figure 2 is a schematic drawing of a reduction operation embodying the 
present invention for 192-bit ECC and 64-bit words; 

Figure 3 is a schematic drawing of another reduction operation of the 
present invention for 128-bit ECC and 64-bit words; 

Figure 4 is a schematic drawing of another reduction operation of the 
present invention for 256-bit ECC and 64-bit woids; 

Figure 5 is a hardware implementation of the present invention. 

Figure 1 shows a block diagram of a hardware implementation of the 
present invention incorporating a smart card 50 with the following components: 

• Microcontroller 51 for general control to communicate with the outside 
world via the interface. It sets pointers for data in RAM/ROM and starts the 
coprocessor. 

• Interface to the outside world, for contact with smart cards e.g. according to 
ISO-7816-3. 

• A Read Only Memory (ROM) 52 for the program of the microcontroller. 

• A Programmable Read Only Memory (Flash or EEPROM) 53 for the non- 
volatile storage of data or programs. 

• RAM 54 for storage of volatile data, e.g for storage of intermediate results 
during calculations. 

• Coprocessor 55 dedicated to perform special high-speed tasks for ECC or 
RSA calculations. When a task is ready, control is returned to the 
microcontroller. 

In a variant, the present invention is implerriented in software with a 
microprocessor, ALU to provide add. subtract, shift operations with 
programming of the controller to provide control logic, and degree detection by 
shift registers. 
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There is shown in Figure 2 a reduction operation of the present 
invention which is performed with a modulus comprising in total 192 bit words 
and having a first section which has all "1" states being two 64-bit words and 
.10 bits. The second section of the modulus is 54 bits and can be any number 
provided that the total number is a prime. The bigger the number, the less 
often that an additional reduction is required. 

In general, N can be written as: 

N = nm-iB'^^+...niB+no (B=2") 

The special requirements for the selection of N are: 

• n1...nm-i are fixed and contain only 1's (ni=...nm-i=B-1). 

• no is general except for k MSBs which are also 1 , leaving 64-k bits 
free to choose. 

Then N is written as 

N=B"'-B+no=B"'-no' with no'= B-no 

Let R be the result, which has to be reduced by 1 word. 

R=rmB"'+rm-iB"-^+...riB+ro 

Reduce the result by subtraction of the product fmN from R as follows: 
R'=R-rm.N 

=r,„B'"+r,T,.iB'^V. . . n B+ro-rm(B"'-B+no) 
=rm.i B"^^*. . . +r2B2+ri B+ro+rm.(B-no)=(R-rmB'")+rm.no' 
This means that, for the reduction, omit the word rm and add to the 
Least Significant Word ro tfie product rm.no'. The reduction implies only one 
multiplication instead of the nornial m multiplications. 

no' is always positive, since no<B. The result is also always positive. 
Instead of no, store and use no'. 

In some cases, the result is 1 bit too large. Then it is necessary to 
subtract N again. 

R'=(B'"+rm-iB'^V...+riB+roHB'"- no')=rm.iB'^V...+riB + (ro+ no') = (R- 
B*")* no'. 

So, we have only to add no' and discard the overflow bit B"". 
For every multiplication by one word, do such a reduction. Altematively, 
do first all multiplications and then the reductions. The last method is 
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described here. The description below is for 192-blt ECC and a 64-bit word 
size (m=3)- 

N = B^- B+no=B^-no^ ; 2^<no<B (B=2^). 

R is the result of the multiplication of three 64-bit words by also three 
64-bit words, which results in 6 words (ro-.Ts). 
Then the reduction is done as follows: 

• Multiplication of no' by Ta and adding ri (being step S1); 

• Multiplication of no' by rs and adding rz, and the carry c of the 
previous multiplication. Moreover rs Is added to the upper part of the 
multiplication. The result consists of the lower half again called ra 
and the upper half q (step S2) ; 

• Multiplication of q by no' and adding ro and adding the new n to the 
upper part (step S3); 

• When the last multiplication gives an overflow, the overflow is added 
to r2 e.g by the multiplication of no' by 0 (to give 0). the addition of ri 
(gives n as lower half) and the addition of rz to the upper part, i.e. 
the overflow bit) (step S4); 

• When this gives again an overflow (i.e. only when ra consists of all- 
ones (chance 2"®^)), no' is added (step S5). 

• This can be done by the multiplication of no' by 1, and adding r© to 
the lower half of ri to the upper half. 

The carry of the second multiplication (q) is used as multiplicand in the 
next multiplication, and can be enlarged by 1 bit. 

When the input ri to the multiplication of no'q does not have 8 leading 
ones (the probability being less than 1/256), there will be no overflow, since 
no'q has at least 8 leading zeros because of no'. In that case, the program 
does not wait for the overflow to proceed. 

Handling of overflows involves time, which has to be minimised 
wherever possible. Accordingly, no has a number of leading ones (k), so no' 
has at least k-1 leading zeros. 

Thus, the product no'ca has at least k-2 leading zeros, since q might be 
enlarged by 1 bit. 
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In order to produce an overflow, the addition of B.co+ro has to have at 
least k-2 leading ones and a carry c from the lower bits. 

The probability that this will happen is less than 2"^""^^ Therefore by 
making k high, the likelihood of an overflow is very small. 

The probability of the second overflow is extremely small (2"^), since tz 
has to consist completely of ones. 

In practice, a pipelined multiplier is used to provide efficient calculation 
operations, so a number of multiplications are being processed at the same 
time. It takes a few clock cycles to get the result from the multiplier. When it is 
necessary to wait to detennine whether an overflow occurs, the next 
multiplications cannot begin until the overflow has been calculated. Thus n is 
monitored and if it does not have k-2 leading 'Ts there will be no overflow a 
few cycles later so the next multiplication can be started. 

There Is shown in Figure 3 a different embodiment for 128-bit ECC and 
a word size of 64-bit incorporating a modulus N having 128 bits. 

In this embodiment, 

N=B2-B+no=B2-no' ; 2^<no<B. 

The operands have to be in normal space. 

Then the reduction is done as follows: 

• Multiplication of no' by r3 and adding ri. Also ra is added to the 
upper part of the multiplication (step S10); The result consists of the lower half 
again called n and the upper half called q. 

• Multiplication of q by no' and adding ro and adding the new ri to the 
upper part (step S11); 

• When the last multiplication gives an overflow then we add no' (step 
S12), e.g. by the multiplication/addition noM+B.ri+ro. 

' There is shown in Figure 4 a different embodiment for 256-bit ECC and 
a word size of 64-bit incorporating a prime number having 256 bits. 
In this embodiment, 

N=B''.B+no+B'^-no' ; 2^<no<B. 
The operands have to be in normal space. 
Then the reduction is done as follows:- 
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• Multiplication of no* by rs and adding n (being step S20) with the new 
result called 

• Multiplication of no' by re and adding r2 and the carry c of the 
previous multiplication (step S21) with the new result called ra. 

• Multiplication of no' by r? and adding vz and the carry c of the 
previous multiplication. 

Moreover va is added to the upper part of the multiplication (step 
S22). The step consists of the lower half again called rs and the 
upper half q. 

• Multiplication of q by no' and adding ro and adding the new ri to the 
upper part (step S23); 

• When the last multiplication gives an overflow, the overflow is added 
to rz (step S24); 

• When this again gives an overflow, it is added to ra (step S25); 

• When this gives again an overflow, no' is added (step S26). 

The carry of the third multiplication (q) is used as multiplicand and in the 
next multiplication, and can be enlarged by 1 bit. 

Figure 5 is a block diagram of a hardware implementation of ttie present 
invention having the following components: 

• X-,Y-,U- and Z-registers 1 0 to 1 3 for storing the input operands X, Y. 
U and R respectively; 

• C- and R-register 14, 1 5 for storing outputs C and R; 

• RAM 16 for storing the intermediate results; 

• Multiplier 17 which performs the operation B.C+R=X*Y+B*U+Z+c; 

• State machine 18 which controls the operations and the transport 
between RAM and registers or between registers. 

Multiplier 17 calculates the product of X and Y and adds, if required, the 
previous cany c, which is Internally stored. The result is split into two equal 
parts, Z being added to the lower half and U to the upper half. 

The output of C-reg 14 can also be directly used as y-lnput (for example 
for q in Figure 2). 
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In another fonn the present invention is implemented by software 
running on a microprocessor with appropriate ALU's to provide add, subtract 
and shift operations, and shift registers. 
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CLAIMS 

1. A method of performing a reduction operation in a cryptograpliic 
calculation, the method comprising selecting a modulus having a first section 
with a plurality of "1" Most Significant Word states and a second section which 
comprises a plurality of "1" or "0" states whereby the number fomied of the two 
sections is a modulus or a multiple of a modulus, and operating (S1-S5; S10- 
S12; S20-S26) a reduction operation on the modulus/multiple. 

2. A method according to Claim 1 comprising effecting a pluraiiiy of 
multiplication operations (S1). 

3. A method according to Claim 2 comprising effecting a plurality of 
multiplication operations followed by effecting a reduction operation (SI, S2). 

4. A method according to Claim 3 comprising repeating the 
combined multiplication operations and reduction operation (S1, S2). 

5. A method according to any preceding claim comprising using a 
multiple of the modulus/multiple. 

6. A method according to any preceding claim wherein, when the 
last multiplication gives an overflow (S4), the overflow is added to a part of the 
selected number. 

7. A method according to Claim 6 wherein, when the overflow 
addition step (S4) produces an overflow, then no' (S5) is added to the overflow. 

r 

8. A method according to any preceding claim, wherein the carry c 
between two adjacent multiplications is effected as the addend in the next 
multiplication (S2). 
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9. A method according to any preceding claim comprising 
monitoring the number of leading "Vs to detemiine if the number is less than 
(k-2). 

10. A method according to Claim 6 comprising initiating the next 
calculation when the number of leading "1"s is less than (k-2). 

11. A method according to any preceding claim the method 
comprising operating 192-bit ECC and a word size of 64-bit, the modulus 
comprises a first section of 138 bits and a second section of 54 bits. 

12. A method according to any of Claims 1 to 10 the method 
comprises operating 128-bit ECC and a word size of 64-bit, the modulus 
comprises a first section of 74 bits and a second section of 54 bits. 

13. A method according to any of Claims 1 to 10 the method 
comprising operating 256-bit ECC and a word size of 64-bit, the modulus 
comprises a first section of 202 bits and a second section of 54 bits. 

14. A computer program product directly loadable Into the internal 
memory of a digital computer, comprising software code portions for 
perfonning the method of any one or more of Claims 1 to 13 when said product 
is run on a computer. 

15. A computer program directly loadable into the internal memory of 
a digital computer, comprising software code portions for performing the 
method of any one or more of Claims 1 to 13 when said program is run on a 
computer. 

16. A carrier, which may comprise electronic signals, for a computer 
program of Claim 15. 
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1 7. Electronic distribution of a computer program product of Claim 14 
or a computer program of Claim 15 or a carrier of Claim 16. 

1 8. Apparatus for performing a reduction operation in a cryptographic 
calculation, the apparatus comprising means to select a modulus or a multiple 
of a modulus having a first section with a plurality of "1" states and a second 
section having a plurality of "1" or "0" states whereby the number formed of the 
two sections is a modulus or a multiple of a modulus, and means (10-17) for 
operating a reduction operation on the modulus/multiple. 

19. Apparatus according to Claim 18 comprising means (10-17) to 
effect a plurality of multiplication operations. 

20. Apparatus according to Claim 19 comprising means (10-17) to 
effect a plurality of multiplication operations followed by a reduction operation. 

21. Apparatus according to Claim 20 comprising means (10-17) to 
repeat the combined multiplication operations and reduction operation. 

22. Apparatus according to any of Claims 18 to 21 comprising means 
(10-17) to use a multiple of the modulus/multiple. 

23. Apparatus according to any of Claims 1 8 to 22 comprising means 
(10-17), when the last multiplication gives an overflow, to add the overflow to a 
part of the selected number. 

24. Apparatus according to Claim 23 comprising means (10-17), 
when the overflow addition step produces an overflow, to add no' to the 
overflow. 
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25. Apparatus acxx)rding to any of Claims 18 to 24 (10-17) 
comprising means to effect the carry c between two adjacent multiplications as 
the addend in the next multiplication. 

26. Apparatus according to any of Claims 18 to 25 (10-17) 
comprising means to monitor the number of leading 'Ts to determine if the 
number is less than (k-2). 

27. Apparatus according to any of Claims 18 to 26 comprising means 
(10-17) to initiate the next calculation when the number of leading "1"s is less 
than (K-2). 

28. Apparatus according to any of Claims 18 to 27 with means (10- 
17) for 192-blt EEC and a word size of 64-bit, the modulus comprises a first 
section of 74 bits and a second section of 54 bits. 

29. Apparatus according to any of Claims 18 to 27 with means (10- 
17) for 128-blt ECC and a word size of 64-bit, the modulus comprises a first 
section of 74 bits and a second section of 54 bits. 

30. Apparatus accoiding to any of Claims 18 to 27 with means (10- 
17) for 256-bit ECC and a word size of 64-bit, the modulus comprises a firet 
section of 202 bits and a second section of 54 bits. 

31. A method of performing a reduction operation substantially as 
hereinbefore described with reference to, and/or as illustrated in. any one or 
more of Figures 1 to 5 of the accompanying drawings. 

32. Apparatus for performing a reduction operation in a cryptographic 
calculation, the apparatus substantially as hereinbefore described with 
reference to, and/or as Illustrated in, any one or more of Figures 1 to 5 of the 
accompanying drawings. 
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33. A method of performing a reduction operation in a cryptographic 
calculation, the method substantially as hereinbefore described with reference 
to, and/or as illustrated in, any one or more of Figures 1 to 5 of the 
accompanying drawings. 
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ABSTRACT 

• * 

IMPROVED REDUCTION CALCULATIONS 

An Elliptic Curve Crypography reduction technique utilises a prime 
number having a first section of Most Significant Word "1" states, with N = n^-i 
+ NiB+no. 

[Figure 2] 
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□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 



□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 



IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



BEST AVAILABLE IMAGES 




LINES OR MARKS ON ORIGINAL DOCUMENT 



